XXE in eclipse IDE

Basic information

Project name: org.eclipse.pde org.eclipse.jdt org.eclipse.platform org.eclipse.osgi

Project id: {id}

What are the affected versions?

probably all

Details of the issue

SonarLint reports many possible XXE attacks in eclipse IDE's sourcecode. for example:

Steps to reproduce

Don't know. Probably manipulating development xml-files like "build.xml", "plugin.xml", "feature.xml", ".polyglot.feature.xml", ... which should be normally self contained and do not require access from external sources.

Do you know any mitigations of the issue?

https://rules.sonarsource.com/java/RSPEC-2755 recommends to replace "SAXParserFactory.newInstance();" with code that disables external access by properties see also https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

Similar Code was fixed here: https://bugs.eclipse.org/bugs/show_bug.cgi?id=577341

Hello Jörg, we've received the report. Thank you for contacting us! I'll be adding the project team in the next hours.

@mrybczyn when and how the projects where informed? I am committer on eclipse.platform myself and did not receive any notification.

Thank you @jkubitz for reporting an issue with the assignment. There was a technical glitch and people should be added correctly this time.

@mrybczyn please add also Jonah Graham jonah@kichwacoders.com and Ed Merks ed.merks@gmail.com

@mrybczyn ping

@jkubitz added both. We can also split this issue per-project if it makes sense

made the issue visible to everyone

assigned to @hwellmannwr6

assigned to @vchandra

assigned to @sasinha

assigned to @ngupta

assigned to @mpalat

assigned to @ktatavarthi

assigned to @jarthanaree

assigned to @akurtakov

assigned to @lvogel

assigned to @mistria

assigned to @slakkimsetti

assigned to @hargrave

assigned to @mhoffmannp88

assigned to @jalbertjsd

made the issue confidential

made the issue visible to everyone

assigned to @aloskutov

assigned to @jjohnston

assigned to @lshanmugam

made the issue confidential

For people added or a first time to a confidential issue: you need to be logged in in GitLab to see it, otherwise you will get a 404. I've added project leads for PDE, JDT, Eclipse Platform, and OSGI. If there are more people to add, please add me know. For now, it requires manual manipulations.

I don't see any information here relevant to the OSGi projects. In any case, please replace me with @twatson. Thanks.

made the issue visible to everyone

assigned to @twatson

made the issue confidential

unassigned @hargrave

Can anyone comment on the bug fix https://bugs.eclipse.org/bugs/show_bug.cgi?id=577341 mentioned by @jkubitz which changed XMLMemento to add "file" to the properties: javax.xml.XMLConstants.ACCESS_EXTERNAL_DTD and javax.xml.XMLConstants.ACCESS_EXTERNAL_SCHEMA? According to the spec, it recommends setting the properties to "" and I notice XMLMemento is showing up in the report. Is this a separate case or a false positive or should it be done as specified in https://rules.sonarsource.com/java/RSPEC-2755?

@jkubitz do you plan to contribute fixes for the issue?

At least for PDE it looks like the same pattern can be used for most, if not all occurrences. Therefore I think it makes sense to have a utility method that returns a properly configured DocumentBuilderFactory/XMLInputFactory. Besides that, when searching PDE's code base for DocumentBuilderFactory.newInstance(), I got more hits than the listed ones, maybe this applies for other repos too.

When we agree it should be fixed in the sense to disallow all external xml references i could contribute something. I would like a solution where platform (runtime?) offers a configured parser.

Sounds good to me. We should just make sure that this does not become a official API.

Here is a complete sorted List of SonarLint hits in IDE workspace:

/org.eclipse.ant.ui/Ant Editor/org/eclipse/ant/internal/ui/dtdParser.java
/org.eclipse.ant.ui/Ant Editor/org/eclipse/ant/internal/ui/editorTaskDescriptionProvider.java
/org.eclipse.ant.ui/Ant Tools Support/org/eclipse/ant/internal/ui/datatransferExportUtil.java
/org.eclipse.ant.ui/Ant Tools Support/org/eclipse/ant/internal/ui/datatransferExportUtil.java
/org.eclipse.ant.ui/Ant Tools Support/org/eclipse/ant/internal/ui/datatransferExportUtil.java

/org.eclipse.compare.examples.xml/src/org/eclipse/compare/examples/xmlXMLStructureCreator.java

/org.eclipse.core.tests.harness/src/org/eclipse/core/tests/sessionSetupManager.java
/org.eclipse.core.variables/src/org/eclipse/core/internal/variablesStringVariableManager.java
/org.eclipse.core.variables/src/org/eclipse/core/internal/variablesStringVariableManager.java

/org.eclipse.debug.core/core/org/eclipse/debug/coreDebugPlugin.java
/org.eclipse.debug.core/core/org/eclipse/debug/internal/coreLaunchConfiguration.java
/org.eclipse.debug.core/core/org/eclipse/debug/internal/coreLaunchManager.java
/org.eclipse.debug.core/core/org/eclipse/debug/internal/coreLaunchManager.java
/org.eclipse.debug.core/core/org/eclipse/debug/internal/coreXMLMemento.java
/org.eclipse.debug.ui/ui/org/eclipse/debug/internal/ui/launchConfigurationsLaunchConfigurationManager.java
/org.eclipse.debug.ui/ui/org/eclipse/debug/internal/ui/sourcelookupWorkingSetSourceContainerType.java

/org.eclipse.e4.tools.emf.ui/src/org/eclipse/e4/tools/emf/ui/internal/common/component/tabsListTab.java
/org.eclipse.e4.tools.emf.ui/src/org/eclipse/e4/tools/emf/ui/internal/common/component/tabsListTab.java
/org.eclipse.e4.tools.emf.ui/src/org/eclipse/e4/tools/emf/ui/internal/common/resourcelocatorTargetPlatformContributionCollector.java

/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/internal/p2/core/helpersSecureXMLUtil.java
/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/internal/p2/core/helpersSecureXMLUtil.java
/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipseInfoPListEditor.java

/org.eclipse.help.ui/src/org/eclipse/help/ui/internal/viewsEngineDescriptorManager.java
/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/parserResultParser.java
/org.eclipse.help/src/org/eclipse/help/internal/dynamicDocumentWriter.java
/org.eclipse.help/src/org/eclipse/help/internalHelpData.java

/org.eclipse.jdt.apt.core/src/org/eclipse/jdt/apt/core/internal/utilFactoryPathUtil.java
/org.eclipse.jdt.core.internal.tools/src/org/eclipse/jdt/core/internal/tools/unicodeTableBuilder.java
/org.eclipse.jdt.core/model/org/eclipse/jdt/internal/coreJavaModelManager.java
/org.eclipse.jdt.core/model/org/eclipse/jdt/internal/coreJavaProject.java
/org.eclipse.jdt.core/model/org/eclipse/jdt/internal/coreJavaProject.java
/org.eclipse.jdt.core/model/org/eclipse/jdt/internal/coreUserLibrary.java
/org.eclipse.jdt.junit.core/src/org/eclipse/jdt/internal/junit/modelJUnitModel.java
/org.eclipse.jdt.junit.core/src/org/eclipse/jdt/internal/junit/modelJUnitModel.java
/org.eclipse.jdt.junit.core/src/org/eclipse/jdt/internal/junit/modelJUnitModel.java
/org.eclipse.jdt.junit.core/src/org/eclipse/jdt/internal/junit/modelJUnitModel.java
/org.eclipse.jdt.launching/launching/org/eclipse/jdt/internal/launchingLaunchingPlugin.java
/org.eclipse.jdt.launching/launching/org/eclipse/jdt/internal/launchingLaunchingPlugin.java
/org.eclipse.jdt.launching/launching/org/eclipse/jdt/internal/launchingVMDefinitionsContainer.java
/org.eclipse.jdt.launching/launching/org/eclipse/jdt/launching/sourcelookupArchiveSourceLocation.java
/org.eclipse.jdt.launching/launching/org/eclipse/jdt/launching/sourcelookupDirectorySourceLocation.java
/org.eclipse.jdt.launching/launching/org/eclipse/jdt/launching/sourcelookupJavaProjectSourceLocation.java
/org.eclipse.jdt.launching/launching/org/eclipse/jdt/launching/sourcelookupJavaSourceLocator.java
/org.eclipse.jdt.launching/launching/org/eclipse/jdt/launching/sourcelookupPackageFragmentRootSourceLocation.java
/org.eclipse.jdt.ui/core extension/org/eclipse/jdt/internal/corext/template/javaTemplateSet.java
/org.eclipse.jdt.ui/core extension/org/eclipse/jdt/internal/corext/template/javaTemplateSet.java
/org.eclipse.jdt.ui/core extension/org/eclipse/jdt/internal/corext/utilHistory.java
/org.eclipse.jdt.ui/core extension/org/eclipse/jdt/internal/corext/utilHistory.java
/org.eclipse.jdt.ui/ui/org/eclipse/jdt/internal/ui/jarpackagerfatFatJarRsrcUrlAntExporter.java
/org.eclipse.jdt.ui/ui/org/eclipse/jdt/internal/ui/jarpackagerfatUnpackFatJarAntExporter.java
/org.eclipse.jdt.ui/ui/org/eclipse/jdt/internal/ui/jarpackagerfatUnpackJarAntExporter.java
/org.eclipse.jdt.ui/ui/org/eclipse/jdt/internal/ui/jarpackagerJarPackageReader.java
/org.eclipse.jdt.ui/ui/org/eclipse/jdt/internal/ui/jarpackagerJarPackageWriter.java
/org.eclipse.jdt.ui/ui/org/eclipse/jdt/internal/ui/javadocexportJavadocReader.java
/org.eclipse.jdt.ui/ui/org/eclipse/jdt/internal/ui/javadocexportJavadocWriter.java
/org.eclipse.jdt.ui/ui/org/eclipse/jdt/internal/ui/preferences/formatterProfileStore.java
/org.eclipse.jdt.ui/ui/org/eclipse/jdt/internal/ui/preferences/formatterProfileStore.java
/org.eclipse.jdt.ui/ui/org/eclipse/jdt/internal/ui/preferencesUserLibraryPreferencePage.java
/org.eclipse.jdt.ui/ui/org/eclipse/jdt/internal/ui/preferencesUserLibraryPreferencePage.java
/org.eclipse.jdt.ui/ui/org/eclipse/jdt/internal/ui/text/javaContentAssistHistory.java
/org.eclipse.jdt.ui/ui/org/eclipse/jdt/internal/ui/text/javaContentAssistHistory.java

/org.eclipse.jface/src/org/eclipse/jface/dialogsDialogSettings.java

/org.eclipse.ltk.core.refactoring/src/org/eclipse/ltk/internal/core/refactoring/historyRefactoringHistoryManager.java
/org.eclipse.ltk.core.refactoring/src/org/eclipse/ltk/internal/core/refactoringRefactoringSessionReader.java

/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/frameworkXMLParsingServiceFactory.java
/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/frameworkXMLParsingServiceFactory.java

/org.eclipse.pde.api.tools.ui/src/org/eclipse/pde/api/tools/ui/internal/actionsExportSessionAction.java
/org.eclipse.pde.api.tools/src/org/eclipse/pde/api/tools/internal/modelBundleComponent.java
/org.eclipse.pde.api.tools/src/org/eclipse/pde/api/tools/internal/searchUseReportConverter.java
/org.eclipse.pde.api.tools/src/org/eclipse/pde/api/tools/internal/searchUseScanParser.java
/org.eclipse.pde.api.tools/src/org/eclipse/pde/api/tools/internal/utilUtil.java
/org.eclipse.pde.api.tools/src/org/eclipse/pde/api/tools/internal/utilUtil.java
/org.eclipse.pde.api.tools/src/org/eclipse/pde/api/tools/internalApiBaselineManager.java
/org.eclipse.pde.api.tools/src/org/eclipse/pde/api/tools/internalAPIFileGenerator.java
/org.eclipse.pde.api.tools/src_ant/org/eclipse/pde/api/tools/internal/tasksAnalysisReportConversionTask.java
/org.eclipse.pde.api.tools/src_ant/org/eclipse/pde/api/tools/internal/tasksAPIDeprecationReportConversionTask.java
/org.eclipse.pde.api.tools/src_ant/org/eclipse/pde/api/tools/internal/tasksAPIFreezeReportConversionTask.java
/org.eclipse.pde.core/src/org/eclipse/pde/internal/core/buildersBuildErrorReporter.java
/org.eclipse.pde.core/src/org/eclipse/pde/internal/core/buildersBuildErrorReporter.java
/org.eclipse.pde.core/src/org/eclipse/pde/internal/core/pluginAbstractExtensions.java
/org.eclipse.pde.core/src/org/eclipse/pde/internal/core/pluginPluginBase.java
/org.eclipse.pde.core/src/org/eclipse/pde/internal/core/targetIUBundleContainer.java
/org.eclipse.pde.core/src/org/eclipse/pde/internal/core/targetIULocationFactory.java
/org.eclipse.pde.core/src/org/eclipse/pde/internal/core/targetTargetDefinitionPersistenceHelper.java
/org.eclipse.pde.core/src/org/eclipse/pde/internal/core/targetTargetDefinitionPersistenceHelper.java
/org.eclipse.pde.core/src/org/eclipse/pde/internal/core/targetTargetPersistence38Helper.java
/org.eclipse.pde.core/src/org/eclipse/pde/internal/core/targetTargetRefrenceLocationFactory.java
/org.eclipse.pde.core/src/org/eclipse/pde/internal/coreAbstractModel.java
/org.eclipse.pde.core/src/org/eclipse/pde/internal/corePDEAuxiliaryState.java

/org.eclipse.swt.tools/Mac Generation/org/eclipse/swt/tools/internalMacGenerator.java

/org.eclipse.text/src/org/eclipse/text/templatesTemplateReaderWriter.java
/org.eclipse.text/src/org/eclipse/text/templatesTemplateReaderWriter.java

/org.eclipse.tips.ide/src/org/eclipse/tips/ide/internalIDETipManager.java

/org.eclipse.ui.intro/src/org/eclipse/ui/internal/intro/impl/model/loaderIntroContentParser.java
/org.eclipse.ui.intro/src/org/eclipse/ui/intro/contentprovidersEclipseRSSViewer.java
/org.eclipse.ui.workbench/Eclipse UI/org/eclipse/uiXMLMemento.java

/org.eclipse.unittest.ui/src/org/eclipse/unittest/internal/modelUnitTestModel.java
/org.eclipse.unittest.ui/src/org/eclipse/unittest/internal/ui/historyHistoryItem.java
/org.eclipse.unittest.ui/src/org/eclipse/unittest/internal/ui/historyHistoryItem.java
/org.eclipse.unittest.ui/src/org/eclipse/unittest/internal/ui/historyHistoryItem.java

/org.eclipse.urischeme/src/org/eclipse/urischeme/internal/registrationPlistFileWriter.java
/org.eclipse.urischeme/src/org/eclipse/urischeme/internal/registrationPlistFileWriter.java

Example steps to reproduce external file access: Have any .xml file like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root_element SYSTEM "file:///c:/mysecret.txt">

• open it in eclipse Editor

or paste the line

<!DOCTYPE root_element SYSTEM "file://./mysecret.txt">

into plugin.xml or feature.xml

• open plugin Editor

and watch your filesystem. On windows for example with sysinternals process monitor:

The "java.exe" in this case is lsp4j/"org.eclipse.lemminx.XMLServerLauncher" startet by "eclipse.exe"

Do we have any usecase where we need external files? If not let's disable all. Even "file", as Jeff mentioned.

Do we have any usecase where we need external files? If not let's disable all. Even "file", as Jeff mentioned.

At least for PDE I'm not aware of a use-case where external files are needed, but I haven't checked all cases. I would also have started with a restrictive approach until hitting a point where this is not sufficient.

example stacktrace how jdt tries to open external file:

java.io.FileNotFoundException: c:\mysecret.txt (Das System kann die angegebene Datei nicht finden)
	at java.base/java.io.FileInputStream.open0(Native Method)
	at java.base/java.io.FileInputStream.open(FileInputStream.java:216)
	at java.base/java.io.FileInputStream.<init>(FileInputStream.java:157)
	at java.base/java.io.FileInputStream.<init>(FileInputStream.java:111)
	at java.base/sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:86)
	at java.base/sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:189)
	at java.xml/com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:653)
	at java.xml/com.sun.org.apache.xerces.internal.impl.XMLEntityManager.startEntity(XMLEntityManager.java:1397)
	at java.xml/com.sun.org.apache.xerces.internal.impl.XMLEntityManager.startDTDEntity(XMLEntityManager.java:1363)
	at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDTDScannerImpl.setInputSource(XMLDTDScannerImpl.java:257)
	at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$DTDDriver.dispatch(XMLDocumentScannerImpl.java:1152)
	at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$DTDDriver.next(XMLDocumentScannerImpl.java:1040)
	at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$PrologDriver.next(XMLDocumentScannerImpl.java:943)
	at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:605)
	at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:542)
	at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:889)
	at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:825)
	at java.xml/com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
	at java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1224)
	at java.xml/com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:637)
	at java.xml/com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl.parse(SAXParserImpl.java:326)
	at java.xml/javax.xml.parsers.SAXParser.parse(SAXParser.java:330)
	at org.eclipse.jdt.core.tests.formatter.DecodeCodeFormatterPreferences.decodeCodeFormatterOptions(DecodeCodeFormatterPreferences.java:68)
	at org.eclipse.jdt.core.tests.formatter.FormatterRegressionTests._test749(FormatterRegressionTests.java:16229)

@mbarbero are we supposed to publicly discuss and commit security fixes on GitHub with normal Pull Request?

No, it is better to work on the fix privately. For that, we can assign the projects committers (or PL only) the "security manager" role on the github organization. With this permission, users with this role can create a security adivisory to discussing and working on the fix. The fix can be elaborated on a temporary private fork and then create a PR from the private fork. It's best to not mention anything about the vulnerability in the commit / PR comments, just focusing on the technical details. Once the fix is merged and release, you can add a comment to the changelog mentioning that a vulnerability has been fixed via PR-XXX and give details about the vulnerability. You can also give a CVE number if you've decided to assign one for the vulnerability.

All of this is detailed in the project handbook.

Hope this helps.

https://github.com/eclipse-platform/eclipse.platform.releng.buildtools/security/advisories

https://github.com/eclipse-platform/eclipse.platform/security/advisories

https://github.com/eclipse-platform/.github/security/advisories

...

do not show the option to create a "temporary private fork". please help.

To create a temporary fork for a security fix, it needs to be linked to security advisories. And currently it seems that security advisories are disabled for eclipse-platform. That might be a good occasion to enable them and also enable private reporting via GitHub (and take part in our GitHub pilot for private security advisories).

Please note that it does not disable the possibility to use the current methods - it just adds one more and some handy features for the project team.

Could you have a chat amongst project members? If you'd like to do it, create a Helpdesk issue https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/new

Also please note that this new process is documented in the Handbook already https://www.eclipse.org/projects/handbook/#vulnerability-cve and I've also mentioned in some of my recent blog posts like https://blogs.eclipse.org/post/marta-rybczynska/eclipse-foundation-default-security-tracker-moves

@mistria can you please enable security advisories for all repositories?

Security advisories are already enabled (there is the "Security" tab on GitHub project page you can browse). However, I see in the doc

Who can use this feature

Anyone with admin permissions to a repository, or with a security manager role within the repository, can create a security advisory.

I suspect that the maintainers (committers or project leads) misses to be assigned a "security manager" role, so at the moment, no-one can use the feature because of this missing permission.

When using self-service for your GitHub organization, you can request changes to the security managers for your organization via a configuration file. Take a look at the adoptium project which has the project leads defined as security managers (others have all committers):

https://github.com/adoptium/.eclipsefdn/blob/main/otterdog/adoptium.jsonnet#L11

If you want more information about the self service (https://www.eclipse.org/projects/handbook/#resources-github-self-service), please let me know.

@mistria i suggest to define all committers as security managers

@netomi As far as I can see, Platform is not using self-service GitHub. Can you please enable it?

you refer to https://github.com/eclipse-platform/ ?

sure I can enable it.

Yes please.

seem to work on platform now. Please also enable on https://github.com/eclipse-jdt

You mean adding all committers as security manager?

self-service is already enabled for eclipse-jdt, you can create the PR yourself (use the one from eclipse-platform as reference: https://github.com/eclipse-platform/.eclipsefdn/pull/1)

However, a change like that will require an approval of one of the project leads of the jdt project. When creating the PR can you add a project lead as reviewer?

I still can't create a private PR for discussion on https://github.com/eclipse-jdt/eclipse.jdt.core/security/advisories

Created PR https://github.com/eclipse-jdt/.eclipsefdn/pull/1 to enable committers as security managers. After it is approved and applied you can create security advisories. Alter reviewer as needed, I picked one project lead as the team is not public yet (we plan to make all teams public).

thanks, i am not allowed to edit https://github.com/eclipse-jdt/.eclipsefdn/edit/main/otterdog/eclipse-jdt.jsonnet

the process is to create PRs that will be approved and merged by EF staff. After being merged the changes will be applied to your live configuration at GitHub.

@hwellmannwr6 for PDE see https://github.com/eclipse-pde/eclipse.pde/pull/632

mentioned in issue cve-assignement#5 (closed)

for PDE: reserved CVE-2023-3594 cve-assignement#5 (comment 1178533)

The CVE ID is reserved, but please do not use it publicly (this ticket is OK, because it is confidential) before you release a fix and we fill up all details of that CVE. If you need any assistance, contact me or @mbarbero

Dear JDT committers, who volunteers to discuss/review security change privately?

platform: also ".project" files are vulnerable xml.

Example .project:

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE price [
<!ENTITY xxe SYSTEM "http://127.0.0.1:49416/evil">]>
<projectDescription>
	<name>p</name>
	<comment>&xxe;</comment>
</projectDescription>

Victim only needs to refresh an already open project or open it. So basically as soon as you pull anything (for example to review PR) an remote server can read victims file system.

@hwellmannwr6 Dear Equinox (https://github.com/eclipse-equinox/equinox.git) please take a look at

org.eclipse.osgi.internal.framework.XMLParsingServiceFactory.createService()
org.eclipse.core.runtime.spi.RegistryStrategy.getXMLParser()
org.eclipse.equinox.internal.transforms.xslt.XSLTStreamTransformer.getTemplate(URL)

I am not committer on that project

org.eclipse.osgi.internal.framework.XMLParsingServiceFactory

Since with this org.eclipse.osgi needs a SAXParser and a DocumentBuilder we have already many cases used in equinox that are provided by the general XMLProcessorFactory that you created for PDE in https://github.com/eclipse-pde/eclipse.pde/pull/667#discussion_r1261976533.

As background for others, we are looking for a place for a XMLProcessorFactory that provides factories for SAXParsers, DocumentBuilders ans Transformers that are configured to be not vulnerable for XXE attacks. Ideally there is only one such class used by all Eclipse SDK projects (Equinox, Platform, JDT and PDE), but is not API for downstream consumers. This probably has the effect that not all methods are called by projects in the repo that contains it, but IMHO it is more important to have a single location to maintain that multiple copies of it. And since all SDK projects are build in the I-Builds it would be noticed quickly if something changed in an incompatible way. Nevertheless the documentation of the class should state that callers can be all over the SDK.

Since Equinox and even org.eclipse.osgi needs a XMLProcessorFactory too, I suggest the package org.eclipse.osgi.framework.util as location for it. In general it I think it would be better to use a package that has internal in its name (org.eclipse.osgi.framework.util is only marked as internal in the Manifest), but I didn't found any fitting one. If we really want that, we could either create a new one like org.eclipse.osgi.internal.xml or place it in an existing one with a not so fitting name (I wouldn't mind much). @twatson what do you think?

Btw. is it already possible to create a security advisory for Equinox? I didn't find a way. If not can it please be enabled?

@netomi please configure security advisory for https://github.com/eclipse-equinox/equinox.git

@hwellmannwr6 Why isn't the one place to update in org.eclipse.osgi.internal.framework.XMLParsingServiceFactory.createService() to return a factory properly configured? Everywhere else just use the OSGi service to get the properly configured factory.

Have to admit that I didn't think about that yet, but that would definitely be the most OSGi-like way. This also reminds me about https://github.com/eclipse-equinox/equinox/pull/146, which would make it quite convenient to obtain a parser-factory. Would be a good reason for me to complete that.

But besides a SAXParserFactory and a DocumentBuilderFactory it would require also a service registration for TransformerFactory. Furthermore the PDEXmlProcessorFactory suggested in https://github.com/eclipse-pde/eclipse.pde/pull/667 also provides SAXParserFactorys with different levels of DOCTYPE rejection. But this could be specified using service-attributes.

@jkubitz what do you think?

@netomi please configure security advisory for https://github.com/eclipse-equinox/equinox.git

I can see that security advisories are now enabled for the equinox repository, but I don't see the button to draft a new one like for https://github.com/eclipse-platform/eclipse.platform.

The framework registers a ServiceFactory for the SAXParserFactory and DocumentBuilderFactory so each bundle can individually configure the instance they get (e.g. what PDE needs for different levels of DOCTYPE rejection). We could change it to be a PrototypeServiceFactory so that a bundle can configure multiple factory instances if need be. But by default the factory we return would be auto configure to prevent the XXE. I'm unsure what uses TransformerFactory in Eclipse. But I would prefer not adding a new service registration down in the framework for that. Perhaps adding it to equinox.common or to core.runtime would be useful.

github search show there is at least one repo which did utilize ENTITY resolution in an eclipse .project file

https://github.com/picpromusic/BuildHelpers/blob/1cda0b2729fed6d136a30d3e355d8d3c9f63d734/EclipseProjectsForOpenJDK/Old_Build/jdk/make/eclipse/swing/.project~#L10

With the proposed changes such will not supported anymore.

Can you tell what the purpose of this is? Wouldn't it be possible to just support local resolution respectively file-URLs?

I don't see a real need for supporting entity for .project. Normally eclipse should write it and it won't write any entity. If we would support file resolution you could inject a local secret into the .project. And file is not even necessary local (if you have a remote filesystem mounted). The safest way is to just forbid anything if we don't need it. If there will be a usecase to need file resolution the user should contribute a safe way to do so. The only .xml files in eclipse that i know that normally used with file resolution are ant's build.xml scripts. For those it doesn't matter to parse the entity while executing the script because the script could do anything anyways. However it would be wrong to perfrom the resolution while only showing the script.

@netomi Github actions, like verification builds, are not executed in the private forks. That way we can not see if verification would fail. please help.

This question has already been raised by others, but apparently GitHub decides to be silent about it:

https://github.com/orgs/community/discussions/35165

However, you could take a look into this project:

https://github.com/nektos/act

which allows you to run GitHub workflows locally. I did not test it yet out myself, but it looks very promising to me.

Would you please contact github support instead of only relying on a community discussion? This renders those advisories almost useless.

Its on their public roadmap, planned for Q1 2024: https://github.com/github/roadmap/issues/627

I am currently testing act on the eclipse.jdt.core-ghsa-794m-c7jj-3qxv repo.

@jkubitz ok so I checked the workflows in the eclipse.jdt.core repo and I am not sure how useful it is to be able to run them. They seem to be related for release management and publishing unit test results.

The actual interesting jobs are run on jenkins: https://ci.eclipse.org/jdt/job/eclipse.jdt.core-Github/

Using the Jenkinsfile in the repo.

In order to validate that the fixes in the eclipse.jdt.core-ghsa-794m-c7jj-3qxv repo are not breaking anything, somebody will have to setup a job on jenkins that checks out the clone and runs the build. I will check with my colleagues how we usually do that for eclipse-jdt.

CI on jenkins would be enough

added a note to the advisory with a link to the created job on ci.eclipse.org.

made the issue visible to everyone

assigned to @emerks and @jograham

made the issue confidential

@netomi i can't see https://ci.eclipse.org/jdt/job/eclipse.jdt.ui-github-security/ even when i am logged in. It states i need to login. for jdt.debug and jdt.core i do not have that problem. please help

Permissions have been fixed. Please try again.

JDT related build jobs have been moved to https://ci.eclipse.org/jdt/job/security-advisories/